Stay Secure with PHP Applications like Joomla, WordPress,
Joomla and more!
As with any software, open source is always vulnerable to
attack, particularly older versions when developers publish previous bug issues
with old versions. What we have noticed over the past few months is that once a
new update for a system is released with a bug report for the older version,
users who do not upgrade are often prone to attack through malicious scanning
scripts which attempt to gain access to all sites.
We are not undermining or recommending that you do not use
any software mentioned in this post, as we know each publisher works incredibly
hard to tighten the locks and security is not actually about a perfectly secure
system. However if somebody really wants access, they will do all they can to
get it. This post is to help you double lock the gate, there is no guarantee
you aren’t vulnerable to attack as the wrong permissions to an important file,
or an incorrect htaccess file can allow access.
As always, if you have any security or software concerns we
are more than happy to discuss these with you.
Password
We start with the most vulnerable issue. Basic passwords are
a potential vulnerability that can be easily resolved with good security habits.
Using a strong password is import for making it difficult for people guess your
password, and hard for a brute force attack to succeed.
Whenever you create a user, we recommend using a password
generator such as - http://www.pctools.com/guides/password/
All of our cPanel services include a minimum requirement of
50 for password strength and use a Password Generator Tool that can be also be
used to help you create a strong, secure password for your website.
What not to do when
choosing a password –
When creating your password, do not use your real name, username, company, name of your website, a dictionary
word, and less than 6 characters.
Default Admin User
Most common brute force attacks determine the username admin or administrator when attempting to gain access, changing the Super
Administrator username is vital, we do not recommend you use your real name, username, company, name of
your website, a dictionary word, and less than 6 characters.
Your name with a few different combinations of letters and
numbers is recommended, as most applications allow you to change your displayed
alias from that of what you login with.
Stay Updated
As mentioned previously, and the most obvious (as with your
password), keep your system and any plugin, themes, etc up to date.
A side note; if
your plugins/themes/etc do not work with the latest version of WordPress, they
are probably not very secure and we would recommend switching.
Protect Your Config File
All config files hold very confidential details; compromise
could give access to your database inevitably leading to website accessibility.
It is important you do all you can to protect this.
An easy way to protect your configuration file is by adding
the below to your .htaccess file –
<files configname.php>
Order
allow,deny
Deny
from all
</files>
Protect Your Htaccess File
Using the same process as above, add the following to your
.htaccess file -
<files .htaccess>
Order
allow,deny
Deny
from all
</files>
Change Database Table Prefix
The default table_prefix is often related to the script, for
example jos for Joomla, and wp for WordPress. We recommend you
change this to something out of the ordinary which is difficult to guess.
Limited the Number of Failed Login Attempts
Limit the number of failed login attempts is a great defence
system versus somebody trying to manually guess your password or trying to
brute force.
This is a great extension for WordPress - http://wordpress.org/extend/plugins/login-lockdown/
File Permissions
Ensure all your files are the correct permissions, folders
should be CHMOD’d to 755 and files 644.
Logging
Logs allow you to see what damage has been done exactly,
this helps you diagnose and get your website back online. Access Logs or Error
Logs for most systems do not tell you exactly who has accessed, but provides
you with an IP address and the time it occurred.
Common practice for server administrators is to run
ModSecurity with Apache. This acts as a Web Application Firewall, filtering the
traffic.
Data Backups
Back up your website files and MySQL databases regularly. One
a day, one a week, every few days, it is entirely up to you. Download and store
everything separately on your local PC in a ZIP format dated correctly to
ensure data integrity.
We provide a facility within cPanel to do this on a daily
basis but we encourage users to take backups as you can get yourself back up
online quicker, and may incur administrative chargers.
Thursday, May 2, 2013
Powered by WHMCompleteSolution
